https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175297#M1075286 <P>Hey, Rob Thank you for responding,</P><P>&nbsp;</P><P>Are you using FDM or FMC to manage this device? FMC</P><P>&nbsp;</P><P>Can you ping the internet from the FTD itself? Yes I can Ping 8.8.8.8</P><P>&nbsp;</P><P>Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".</P><P>&gt; show nat detail<BR />Manual NAT Policies (Section 1)<BR />1 (Inside) to (Outside) source static any interface destination static interface outside2<BR />translate_hits = 8, untranslate_hits = 8<BR />Source - Origin: 0.0.0.0/0, Translated: 64.16.28.11/27<BR />Destination - Origin: 10.20.50.1/24, Translated: 64.16.28.11/3</P><P>&nbsp;</P><P>How have you configured your Access Control Policy (ACP)?</P> Wed, 28 Oct 2020 18:44:23 GMT jdelgado 2020-10-28T18:44:23Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4174696#M1075258 <P>Hello,</P><P>&nbsp;</P><P>I have Firepower 2110, which is not passing traffice from the Inside interface to the Outside interface. I have run the packet tracer tool and it states that traffic should be passing normally. I have a static route. I am new to Firepower, and I think the issue may be related to the security levels. but unsure. I have been using pinging as a test and I have been trying to get to webpages also.</P><P>&nbsp;</P><P>Public IP is redacted. But below is the Show Route and Show Run Interfaces output. Also attached is diagram of the issue. Please any and all help would be appreciated.</P><P>&nbsp;</P><P>Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP<BR />D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area<BR />N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2<BR />E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN<BR />i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2<BR />ia - IS-IS inter area, * - candidate default, U - per-user static route<BR />o - ODR, P - periodic downloaded static route, + - replicated route<BR />SI - Static InterVRF<BR />Gateway of last resort is *.*.28.1 to network 0.0.0.0</P><P>S* 0.0.0.0 0.0.0.0 [1/0] via (*).(*).28.1, Outside<BR />C 10.20.50.0 255.255.255.0 is directly connected, Inside<BR />L 10.20.50.1 255.255.255.255 is directly connected, Inside<BR />C (*).(*).28.0 255.255.255.224 is directly connected, Outside<BR />L (*).(*).28.11 255.255.255.255 is directly connected, Outside</P><P>&nbsp;</P><P>interface Ethernet1/1<BR />nameif Outside<BR />cts manual<BR />propagate sgt preserve-untag<BR />policy static sgt disabled trusted<BR />security-level 0<BR />ip address (*).(*).28.11 255.255.255.224<BR />!<BR />interface Ethernet1/2<BR />nameif Inside<BR />cts manual<BR />propagate sgt preserve-untag<BR />policy static sgt disabled trusted<BR />security-level 0<BR />ip address 10.20.50.1 255.255.255.0</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 27 Oct 2020 23:09:45 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4174696#M1075258 jdelgado 2020-10-27T23:09:45Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4174822#M1075270 <P>Hi <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1117082">@jdelgado</a>&nbsp;</P> <P>Are you using FDM or FMC to manage this device?</P> <P>&nbsp;</P> <P>Can you ping the internet from the FTD itself?</P> <P>&nbsp;</P> <P>Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".</P> <P>&nbsp;</P> <P>How have you configured your Access Control Policy (ACP)? Please provide a screenshot</P> <P>&nbsp;</P> <P>Provide the output of packet-tracer so we can analyse.</P> Wed, 28 Oct 2020 08:03:09 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4174822#M1075270 Rob Ingram 2020-10-28T08:03:09Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175297#M1075286 <P>Hey, Rob Thank you for responding,</P><P>&nbsp;</P><P>Are you using FDM or FMC to manage this device? FMC</P><P>&nbsp;</P><P>Can you ping the internet from the FTD itself? Yes I can Ping 8.8.8.8</P><P>&nbsp;</P><P>Do you have NAT configured correctly for outbound traffic from the inside network(s)? Provide the output of "show nat detail".</P><P>&gt; show nat detail<BR />Manual NAT Policies (Section 1)<BR />1 (Inside) to (Outside) source static any interface destination static interface outside2<BR />translate_hits = 8, untranslate_hits = 8<BR />Source - Origin: 0.0.0.0/0, Translated: 64.16.28.11/27<BR />Destination - Origin: 10.20.50.1/24, Translated: 64.16.28.11/3</P><P>&nbsp;</P><P>How have you configured your Access Control Policy (ACP)?</P> Wed, 28 Oct 2020 18:44:23 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175297#M1075286 jdelgado 2020-10-28T18:44:23Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175353#M1075287 <P>Try please to remove that NAT rule and replace it with:</P><P><STRONG>nat (inside,outside) after-auto source dynamic any interface</STRONG></P> Wed, 28 Oct 2020 19:13:24 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175353#M1075287 Aref Alsouqi 2020-10-28T19:13:24Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175369#M1075290 <P>I know how to apply the command in an ASA but how would I apply it in the FMC?&nbsp;</P> Wed, 28 Oct 2020 19:30:30 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175369#M1075290 jdelgado 2020-10-28T19:30:30Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175382#M1075292 <P>My bad, apologies, for some reason I had ASA in mind! In the NAT section, add a new rule:</P><P>NAT Rule: Auto NAT Rule</P><P>Type: Dynamic</P><P>Interface Objects: Src (Inside), Dst (Outside)</P><P>Translation - Original Source: Select your internal LAN object from the list, if you don't have it, click on the + button to add one</P><P>Translation - Translated Source: Destination Interface IP</P><P>&nbsp;</P> Wed, 28 Oct 2020 19:54:15 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175382#M1075292 Aref Alsouqi 2020-10-28T19:54:15Z https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175397#M1075293 <P>It works!! Thank you, Thank You</P> Wed, 28 Oct 2020 20:14:56 GMT https://community.cisco.com/t5/network-security/ftd-firepower-2110-version-6-6-1-not-passing-traffic/m-p/4175397#M1075293 jdelgado 2020-10-28T20:14:56Z